// SCAN REPORT

Open WebUI MCP Server

82 tools. 47 can modify or destroy data without limits.

17 destructive tools with no built-in limits. Policy required.

Last updated:

47 can modify or destroy data
35 read-only
82 tools total

Community server · catalogue entry verified 12/06/2026

How to control Open WebUI MCP Server ↓

TOOL MAP

What Open WebUI MCP Server exposes to your agents

Read (35) Write / Execute (30) Destructive / Financial (17)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
Critical Risk

The most dangerous Open WebUI MCP Server tools

Destructive · Critical delete_all_files This tool irreversibly deletes all files in the Open WebUI system with no recovery mechanism. Destructive · High delete_group Deleting a group is an irreversible operation that destroys group data and severs all user-group associations. Destructive · High delete_model This tool performs an irreversible deletion operation on a model resource. Destructive · Critical delete_user This tool permanently removes a user account from the Open WebUI system.

47 of Open WebUI MCP Server's 82 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Open WebUI MCP Server

PolicyLayer is an MCP gateway — it sits between your AI agents and Open WebUI MCP Server, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "delete_all_chats": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "remove_user_from_group": {
    "limits": [
      {
        "counter": "remove_user_from_group_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "get_banners": {
    "limits": [
      {
        "counter": "get_banners_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Open WebUI MCP Server — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON OPEN WEBUI →

Free to start. No card required.

FULL CATALOGUE

All 82 Open WebUI MCP Server tools

DESTRUCTIVE 17 tools
Destructive delete_all_chats Delete all your chats. WARNING: Cannot be undone! Destructive delete_all_files Delete all files. ADMIN ONLY. WARNING: Cannot be undone! Destructive delete_all_memories Delete all your memories. WARNING: Cannot be undone! Destructive delete_channel Delete a channel and all its messages. Destructive delete_channel_message Delete a message from a channel. Destructive delete_chat Delete a chat. Destructive delete_file Delete a file. Destructive delete_folder Delete a folder. Destructive delete_function Delete a function. Destructive delete_group Delete a group. ADMIN ONLY. Removes all users from the group. Destructive delete_knowledge_base Delete a knowledge base and all its files. WARNING: Cannot be undone! Destructive delete_memory Delete a specific memory. Destructive delete_model Delete a custom model. ADMIN ONLY. Destructive delete_note Delete a note. Destructive delete_prompt Delete a prompt template. Destructive delete_tool Delete a tool. Destructive delete_user Delete a user. ADMIN ONLY. WARNING: Cannot be undone!
EXECUTE 3 tools
Execute reset_memories Re-embed all memories in the vector database. Execute create_function Create a new function (filter or pipe) with Python code. Execute create_tool Create a new custom tool with Python code.
WRITE 27 tools
Write remove_user_from_group Remove a user from a group. ADMIN ONLY. Write clone_chat Clone a shared chat to your account. Write share_chat Share a chat (make it publicly accessible). Write toggle_function Toggle a function's enabled/disabled state. Write add_memory Add a new memory to your memory store. Write add_user_to_group Add a user to a group. ADMIN ONLY. Write archive_chat Archive a chat. Write create_channel Create a new team chat channel. Write create_folder Create a new folder. Write create_group Create a new group. ADMIN ONLY. Write create_knowledge_base Create a new knowledge base for RAG. Write create_model Create a new custom model wrapper. ADMIN ONLY. Write create_note Create a new note with markdown content. Write create_prompt Create a new prompt template triggered by a command. Write post_channel_message Post a message to a channel. Optionally reply to a parent message. Write update_channel Update a channel's name or description. Write update_file_content Update the extracted text content of a file. Write update_folder Rename a folder. Write update_function Update a function's name or code. Write update_group Update a group's name or description. ADMIN ONLY. Write update_knowledge_base Update a knowledge base's name or description. Write update_memory Update an existing memory. Write update_model Update a model's name, system prompt, or parameters. Write update_note Update a note's title or content. Write update_prompt Update a prompt template. Write update_tool Update a tool's name or code. Write update_user_role Update a user's role. ADMIN ONLY. Roles: 'admin', 'user', 'pending'.
READ 35 tools
Read get_banners Get system notification banners. Read get_channel Get details for a specific channel. Read get_channel_messages Get messages from a channel with pagination. Read get_chat Get a chat's details and message history. Read get_current_user Get the currently authenticated user's profile. Read get_file Get metadata for a specific file. Read get_file_content Get the extracted text content from a file. Read get_folder Get folder details. Read get_function Get details for a specific function. Read get_group Get details for a specific group including members. Read get_knowledge_base Get details for a knowledge base including file list. Read get_model Get details for a specific model including system prompt and parameters. Read get_models_config Get default models configuration. ADMIN ONLY. Read get_note Get a specific note by ID. Read get_prompt Get a prompt template by its command. Read get_system_config Get system configuration. ADMIN ONLY. Read get_tool Get details for a specific tool. Read get_tool_servers Get tool server (MCP/OpenAPI) connections. ADMIN ONLY. Read get_user Get details for a specific user. ADMIN ONLY. Read list_channels List all team chat channels. Read list_chats List your chats. Read list_files List all uploaded files with metadata. Read list_folders List all folders for organizing chats. Read list_functions List all functions (filters and pipes). Read list_groups List all groups with their IDs, names, and member counts. Read list_knowledge_bases List all knowledge bases with their IDs, names, and descriptions. Read list_memories List all your stored memories. Read list_models List all available models including custom models. Read list_notes List all your notes. Read list_prompts List all prompt templates. Read list_tools List all available tools (MCP, OpenAPI, custom). Read list_users List all users in Open WebUI. ADMIN ONLY. Read query_memories Search memories using semantic similarity. Read search_files Search files by filename pattern. Supports wildcards like .pdf Read export_config Export full system configuration. ADMIN ONLY.
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
admin
Mcp Afip 1300 tools
admin
Mcp Ap2 1300 tools
admin
BNB Chain MCP 1240 tools
admin
Nodebench 824 tools
admin
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
admin
Amazon Data Processing MCP Server 805 tools
admin
Amazon ECS MCP Server 805 tools
admin
FAQ

Questions about Open WebUI MCP Server

Can an AI agent delete data through the Open WebUI MCP Server MCP server? +

Yes. The Open WebUI MCP Server server exposes 17 destructive tools including delete_all_chats, delete_all_files, delete_all_memories. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Open WebUI MCP Server? +

The Open WebUI MCP Server server has 27 write tools including remove_user_from_group, clone_chat, share_chat. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Open WebUI MCP Server.

How many tools does the Open WebUI MCP Server MCP server expose? +

82 tools across 3 categories: Destructive, Read, Write. 35 are read-only. 47 can modify, create, or delete data.

How do I enforce a policy on Open WebUI MCP Server? +

Register the Open WebUI MCP Server MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Open WebUI MCP Server tool call.

Deterministic rules across all 82 Open WebUI MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON OPEN WEBUI →

Free to start. No card required.

82 Open WebUI MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.